Re: ibus/CVE-2019-14822/glibc

To: Brian May <bam@debian.org>, debian-lts@lists.debian.org
Subject: Re: ibus/CVE-2019-14822/glibc
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Thu, 19 Dec 2019 16:36:10 +0100
Message-id: <[🔎] 249f6fff-4f52-00a9-04e9-5092503894fc@debian.org>
In-reply-to: <[🔎] 87zhfwhm6s.fsf@silverfish.pri>
References: <[🔎] 87k1741xt6.fsf@silverfish.pri> <[🔎] 87zhfwhm6s.fsf@silverfish.pri>

On 13/12/2019 05:41, Brian May wrote:
> Brian May <brian@linuxpenguins.xyz> writes:
> 
>> Apparently the fix for ibus creates a regression in glibc that must get
>> fixed also:
>>
>> https://gitlab.gnome.org/GNOME/glib/merge_requests/1176
>>
>> However this patch patches GIO in glibc, and it looks like glibc in
>> Jessie (2.19-18+deb8u10) doesn't have this directory. Or anything
>> related to GIO that I can see.
>>
>> Hence, I am inclined to think maybe glibc doesn't need to be fixed in
>> Jessie.
> 
> i have back-ported the patches to the Jessie version. Hopefully this is
> correct :-)
> 
> https://gitlab.gnome.org/penguin_brian/glib/compare/2.42.1...fix_gio_auth
> 
> If I incorporate the test patch into the Debian package, expecting a
> test failure, instead I get the following results:
> 
> SKIP: gdbus-server-auth 1 /gdbus/server-auth # SKIP Testing interop with libdbus not supported
> SKIP: gdbus-server-auth 2 /gdbus/server-auth/tcp # SKIP Testing interop with libdbus not supported
> SKIP: gdbus-server-auth 3 /gdbus/server-auth/anonymous # SKIP Testing interop with libdbus not supported
> SKIP: gdbus-server-auth 4 /gdbus/server-auth/external # SKIP EXTERNAL authentication not implemented on this platform
> SKIP: gdbus-server-auth 5 /gdbus/server-auth/sha1 # SKIP Testing interop with libdbus not supported
> SKIP: gdbus-server-auth 6 /gdbus/server-auth/anonymous/tcp # SKIP Testing interop with libdbus not supported
> SKIP: gdbus-server-auth 7 /gdbus/server-auth/sha1/tcp # SKIP Testing interop with libdbus not supported
> 
> This is something I would like to be able to test before uploading. At
> least it does look like I enabled the test correctly.
> 
> Not sure when I will get to look at this again, I haven't claimed it, if
> somebody else wants to take over then go ahead.

I have been looking at this, but building glib with only the two fix commits
(not the tests one) makes the build hang on the network-monitor tests. I haven't
investigated much yet, but I wonder if it may be an issue with my local
configuration. Did you glib build succeed? If so can you publish the source and
debs? I'd like to test that with some qt5 apps to verify the regression fix.

Thanks,
Emilio

Reply to:

References:
- ibus/CVE-2019-14822/glibc
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: ibus/CVE-2019-14822/glibc
  - From: Brian May <bam@debian.org>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Next by Date: Issues regarding ruby-rack/CVE-2019-16782
Previous by thread: Re: ibus/CVE-2019-14822/glibc
Next by thread: RFT: Linux 3.16.79 package
Index(es):
- Date
- Thread